Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor!

Cyber insurance used widely but not deeply

Report shows many companies not taking full advantage of cyber insurance investment

By Dominic Keller | Global Head of Cyber Services, QBE 

With cyber risks becoming a priority for businesses of all sizes, many now carry some form of cyber insurance. But a number of these organizations are not aware of the value-added risk management services offered by their cyber insurers. A recent survey from QBE, in partnership with Zywave, found that there is significant potential for improvement in communicating and raising awareness of risk management services that are included as part of a cyber insurance policy.

In the 2024 Cyber Insurance Report, risk professionals and insurance buyers with primarily large organizations were surveyed, with 50% of respondents having revenues exceeding $1 billion.

Key themes in cyber risk management that the report revealed include:

• Buyers perceive value in cyber insurance. More than 80% of respondents, half of them representing large companies, buy some form of cyber insurance, mostly in the form of standalone policies. Notably, cost is not a principal barrier to buying coverage. Asked about their challenges in managing organizational cyber risk, respondents ranked the price of insurance fourth. Ranking as more pressing challenges were the cost of cybersecurity systems, services and the availability of qualified IT staff. With more than 60% of respondents reporting a cyber event, it is crucial that businesses do not underestimate the financial operational and reputational impacts of a cyber incident. Having adequate cyber coverage in place is a critically important component of a proactive and robust cyber defense strategy.

• Opportunity to increase awareness of cyber risk services. Survey respondents said, after the risk transfer itself, they viewed insurer breach response and incident response planning services as the most valuable features of their cyber policies. While coverages and risk management services vary based on the insurance carrier and policy, 50% of respondents report that they were aware of the availability of additional risk management services provided by insurers. Forty percent of respondents utilize additional risk management services provided as part of the cyber policy offering. Cyber insurance buyers should review these complementary cyber risk services as they add significant value to their cyber insurance investment and can enhance their cyber resilience.

• Potential for improved board and C-suite awareness. The survey suggests that insurers and brokers could increase communication aimed at senior leadership to demonstrate the value of cyber insurance and related cyber risk services. Almost 50% of respondents said their boards are “somewhat familiar” with the organization’s cyber policy and services, while less than 20% are “extremely familiar,” and 16% are “not at all familiar.” Meanwhile, only 38% of respondents said their company’s information security and risk management professionals “frequently” discuss cyber insurance, and 27% said those leaders discuss cyber insurance “just around renewal time.” As organizational leaders increasingly focus on cyber risk management, these survey results indicate that further steps could be taken to increase awareness of the ROI of cyber insurance across risk transfer and additional value-added services.

• Cyber service vendor selection. One area the report explored is vendor management as it relates to breach and incident response vendors. Even though survey respondents see breach response and incident response planning as valuable parts of their cyber coverage, 45% did not rely on their insurers to develop those relationships, 23% built the relationships with the help of their insurance partners and 30% did not know if their organization had established relationships or built them. If businesses choose to work with external breach response vendors, businesses should seek approval of those vendors from their insurers. Without the insurer’s approval, friction may arise during the claims process.

The right partners to help manage cyber risk

Addressing cyber risks as core business risks is critically important for organizations to effectively manage evolving cyber threats and achieve their business objectives. The survey responses indicate that organizations are incorporating cyber insurance as a key part of their cyber risk management strategy, and there are significant opportunities to increase awareness of carrier risk management services to further drive the value of purchasing cyber insurance.  As cyber threats evolve, there is an increasing need to manage cyber risks across technical, operational, financial and leadership functions.  Ongoing training of the workforce, effective governance, proactive cyber incident preparedness and leadership engagement with cyber risk management are all important aspects of managing the fast-evolving and dynamic cyber risk landscape. 

At the same time, the diverse risk management services that insurers provide and the insights offered can improve the value of the cyber insurance partnership. Almost half the survey respondents said a key reason to interact with their insurers is to seek the insurer’s advice on cybersecurity measures and risk mitigation strategies. The survey responses show there is strong interest among risk professionals for more education on cyber threats and risk management strategies to better understand the impacts of cyber events.

For more information on QBE’s Global Cyber Services and Insurance solutions, please visit https://www.qbe.com/us/cyber.

Dominic Keller is the Global Head of Cyber Services at QBE. Before joining QBE, he was global team leader of cyber risk solutions at a global insurance brokerage. Dominic is a qualified attorney in Australia and California, holds the CISSP cybersecurity certification and has studied Corporate Strategy at the Chicago Booth School of Business. He is a regular speaker at conferences and industry events.

QBE makes no warranty, representation, or guarantee regarding the information herein or the suitability of these suggestions or information for any particular purpose. QBE hereby disclaims any and all liability concerning the information contained herein and the suggestions herein made. Moreover, it cannot be assumed that every acceptable risk transfer procedure is contained herein or that unusual or abnormal circumstances may not warrant or require further or additional risk transfer policies and/or procedures. The use of any of the information or suggestions described herein does not amend, modify, or supplement any insurance policy. Consult the actual policy or your agent for details about your coverage. QBE and the links logo are registered service marks of QBE Insurance Group Limited. © 2024 QBE Holdings, Inc.